FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionEU AI Act

EU AI Act Annex III: The High-Risk Categories You Probably Did Not Realize You Are In

By Basel IsmailMay 15, 2026

EU AI Act Annex III: The High-Risk Categories You Probably Did Not Realize You Are In

Annex III of the EU AI Act is where the real action is. While most of the public conversation has focused on foundation models and general-purpose AI (the GPAI provisions in Articles 51-56), Annex III quietly defines the eight domains where AI systems are automatically classified as high-risk. If your system falls into one of these categories, you are looking at conformity assessments, risk management obligations, human oversight requirements, and potential fines up to 35 million EUR or 7% of global annual turnover. The regulation entered into force on August 1, 2024, and the high-risk provisions apply starting August 2, 2026. That window is shrinking fast.

I have walked through each of the eight Annex III categories below, with specific use cases that catch people off guard. If you are deploying AI in any regulated industry, there is a reasonable chance you are in one of these buckets and do not know it yet.

1. Biometrics (Annex III, Section 1)

This covers remote biometric identification systems and AI systems used for biometric categorization or emotion recognition. The obvious cases are facial recognition and fingerprint matching. The less obvious ones: if you are using AI to categorize people by ethnicity, age, gender, or other sensitive attributes inferred from biometric data, you are in. Emotion recognition systems used in workplaces or educational settings are explicitly high-risk (and banned in some contexts under Article 5).

The catch here is "remote." If your access control system uses facial recognition at a facility entrance, that likely qualifies. If your HR platform uses video interview analysis that infers emotional states or personality traits, you are squarely in scope.

2. Critical Infrastructure (Annex III, Section 2)

AI systems intended as safety components of critical infrastructure in digital infrastructure, road traffic, water, gas, heating, and electricity supply. This is broader than you might think. If you are running predictive maintenance AI on utility networks, traffic management optimization, or smart grid load balancing, these are high-risk systems. The key phrase is "safety component," which the Act defines in Article 3(14) as a component that fulfills a safety function or whose failure or malfunction endangers health and safety.

Cloud infrastructure providers should pay attention here. If your AI system manages failover, capacity allocation, or threat detection for services that underpin critical infrastructure clients, the argument that you are a safety component gets uncomfortably strong.

3. Education and Vocational Training (Annex III, Section 3)

This one surprises people. AI systems used to determine access to or admission into educational institutions are high-risk. So are systems that evaluate learning outcomes, determine the appropriate level of education a person can access, or monitor prohibited behavior during exams (think AI proctoring). If you are an edtech company using AI to score essays, recommend course placements, or flag cheating during remote exams, you are in Annex III.

The scope extends to vocational training, which means corporate learning platforms that use AI to determine which employees qualify for certifications, promotions tied to training completion, or skills assessments could fall within this category depending on how consequential the output is for the individual.

4. Employment, Workers Management, and Access to Self-Employment (Annex III, Section 4)

This is the big one for most enterprises. AI systems used for recruitment (screening CVs, ranking candidates), making decisions on promotion or termination, task allocation based on individual behavior or personal traits, and monitoring or evaluating worker performance are all high-risk. The language is broad and intentional.

Practically speaking: your ATS with AI-powered candidate ranking? High-risk. Your workforce management platform that uses algorithms to assign shifts based on performance scores? High-risk. The AI tool your managers use to flag underperforming employees? High-risk. This category will touch nearly every company of meaningful size that uses AI in HR workflows.

5. Access to Essential Private and Public Services (Annex III, Section 5)

AI systems used to evaluate creditworthiness or establish credit scores are explicitly listed. So are systems used to assess eligibility for public assistance benefits, health and life insurance pricing and underwriting, and emergency service dispatch prioritization. If you work in financial services or insurance and use any AI in underwriting, credit decisioning, or claims triage, this section applies to you.

One use case that gets overlooked: AI systems used to evaluate and classify emergency calls, including those that determine dispatch priority. If you are building or deploying technology for 911 centers or their European equivalents, you are building a high-risk AI system.

6. Law Enforcement (Annex III, Section 6)

AI used for individual risk assessments (predicting whether someone will offend or reoffend), polygraph and similar tools, evaluation of evidence reliability, and profiling during criminal investigations. Most private companies assume this section does not apply to them, and for many it does not. But if you sell AI tools to law enforcement agencies, you are the provider of a high-risk AI system under the Act, and the compliance obligations fall on you, not just your government customer.

7. Migration, Asylum, and Border Control (Annex III, Section 7)

AI systems used as polygraphs or similar tools during immigration interviews, for assessing security risks posed by individuals, for examining applications for asylum, visas, and residence permits, and for identification of individuals in the context of migration. Again, if you are a private vendor selling document verification AI, identity matching, or risk scoring tools to border agencies or immigration services, you are the provider of a high-risk system. The obligations under Articles 9 through 15 apply to you directly.

8. Administration of Justice and Democratic Processes (Annex III, Section 8)

AI systems intended to assist judicial authorities in researching and interpreting facts and the law, and in applying the law to concrete facts. Also covered: AI used to influence the outcome of elections or referendums, or the voting behavior of persons. Legal research AI tools that go beyond simple search and actually recommend legal interpretations or predict case outcomes could fall here, depending on how they are marketed and used. If you are building AI for courts, arbitration bodies, or alternative dispute resolution platforms, read this section carefully.

The Cross-Cutting Problem

The tricky part of Annex III is that classification depends on intended purpose, not just technical capability. The same underlying model could be high-risk in one deployment and not in another. A language model used for internal knowledge management is probably fine. The same model used to screen job applicants is high-risk. This means companies need to track not just what AI they are building, but how it is being used across their organization and by their customers.

Article 6(3) provides a narrow exception: if the AI system is intended to perform a narrow procedural task, improve the result of a previously completed human activity, detect decision-making patterns without replacing human assessment, or perform a preparatory task. But these exceptions are interpreted strictly, and relying on them without a documented analysis is risky.

The compliance requirements for high-risk systems are substantial: risk management systems (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), and accuracy, robustness, and cybersecurity (Article 15). Non-compliance penalties under Article 99 scale up to 35 million EUR or 7% of worldwide annual turnover, whichever is higher.

How FirmAdapt Addresses This

FirmAdapt's platform is built around the assumption that regulated companies will increasingly find themselves deploying AI systems that fall within high-risk categories, often without initially realizing it. The platform's compliance architecture maps AI use cases against Annex III classifications and surfaces risk categorization early in the deployment lifecycle, before systems go into production and before regulatory exposure accumulates.

For organizations that are already operating high-risk systems, FirmAdapt provides the documentation, audit trail, and human oversight infrastructure that Articles 9 through 15 require. The goal is to make compliance a structural feature of how AI gets deployed rather than a retroactive exercise conducted under deadline pressure. If you are in any of the eight categories above, the 2026 enforcement date is closer than it feels.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free